As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security; in particular: how to ensure that people who are remotely accessing an application are who they claim they are, how to ensure that transactions being conducted remotely are initiated by legitimate individuals, and how to ensure that transaction data have not been altered before being received at an application server.
One way to secure access to remote applications is the use of an authentication application on a user's personal device such as a user's smartphone. In some cases, such an authentication application may be adapted to dynamically generate credentials. In some cases, these dynamic credentials may be presented to the user on the user's personal device, e.g. in the form of a string of alphanumerical characters, for the user to forward to the remote application that the user is accessing and that needs to be secured. Alternatively, the authentication application may send the generated dynamic credential directly (e.g. using an internet connection established by the user's personal device) to the remote application. Upon receipt of the dynamic credential the remote application may then verify the dynamic credential that it received from the user or the user's personal device and may grant access to the user on condition that the verification of the received dynamic credential was successful.
In some cases, the user intends to submit a transaction to the remote application. In such cases the remote application may require the user to generate with the authentication application on his or her personal device a dynamic credential and provide that dynamic credential to the remote application. The remote application may then verify the dynamic credential that it received from the user and may accept the transaction on condition that the verification of the received dynamic credential was successful.
If the dynamic credential is cryptographically linked to the transaction data that characterize the transaction, then the dynamic credential may also be referred to as a signature or transaction data signature.
In some cases, the authentication application may be adapted to obtain and present the transaction data to the user such that the user can verify these transaction data. In some cases, the authentication application may present the transaction data to the user and may request the user to approve the presented transaction data and may generate and display a dynamic credential or signature for these transaction data only if the user indeed approved the presented transaction data. In some cases, the authentication application may generate the dynamic credential without requiring an explicit approval and may for example present the transaction data for which it generated the dynamic credential along with the generated dynamic credential to the user so that the user may verify whether the transaction data are correct and may decide depending on that verification whether or not to forward the generated dynamic credential.
In some cases, the user may be accessing and interacting with a remote application using an access device. For example, the user may be using a computing device, such as a Personal Computer (PC) or laptop, connected over a network such as the internet to a remote server computer that may be hosting the remote application. The user may use the access device to submit a transaction to the remote application. In such a case, an attacker may try to interfere, for example by means of a man-in-the-middle or a man-in-the-browser attack (e.g. by using malware installed on the user's PC or laptop), and may try to substitute the data of the legitimate transaction intended by the user with other data of a fraudulent transaction. For example, if the user is accessing an internet banking application and submits a money transfer order, an attacker may try to substitute the intended destination account number by a fraudulent account number associated with the attacker.
To protect against such attacks, the remote application may send the transaction data that it received to an authentication device of the user that is different from the access device that the user is using for accessing the remote application. The authentication device may present to the user the transaction data that it received from the remote application so that the user can verify the data that the remote application has received. The authentication device may also generate and present to the user a dynamic credential that is associated or linked to the presented transaction data. The user may then forward this dynamic credential to the remote application as a proof of approval by the user of the transaction data.
If an attacker has substituted the real transaction data, which the legitimate user intended to submit to the remote application using the access device, by fraudulent data, then the remote application will receive these fraudulent data and send these fraudulent data to the user's authentication device. The authentication device will present these fraudulent data to the user for verification. Upon verification of the presented data, the user will notice the discrepancy between the presented data and the real data of the transaction that the user actually intended to submit to the remote application, and can either reject the fraudulent data (upon which the authentication device will not generate a corresponding dynamic credential) or (if the authentication device generates a credential in any case and presents the generated credential to the user together with the received transaction data) decide not to forward the generated credential. Either way, the remote application will not receive a credential that matches the fraudulent data and the fraudulent transaction will not be accepted. The attacker may anticipate this and may back-substitute the (fraudulent) confirmation data that the remote application sends to the user's authentication device with the legitimate data that the user submitted and expects to verify on the authentication device. However, if the dynamic credential is cryptographically linked to the transaction data (for example if the authentication device generates a cryptographic signature over the confirmation data that are received from the remote application and presented to the user), this will also be detected. More specifically, to verify the received credential the remote application will use in the verification process the fraudulent data that it originally received from the attacker (which the attacker submitted to the remote application instead of the data that the user intended to submit). However, in this case the dynamic credential would be cryptographically linked to the back-substituted data that the attacker provided to the user's authentication device instead of the confirmation data that the remote application intended to send to the authentication device, and the verification of the dynamic credential will fail.
In some cases, the user's authentication device may comprise a personal device associated with the user. In some cases, the user's authentication device may be a hardware device that is fully dedicated to providing the authentication and data signature functions as described above. In other cases, the user's authentication device may comprise a personal multifunctional device which among many other applications may also support an authentication application. A user's smartphone or tablet computer equipped with an authentication app may be an example of such a personal multifunctional device.
The discussion of the background to the invention herein is included to explain the context of the invention. This shall not be taken as an admission that any of the material discussed above was published, known or part of the common general knowledge at the priority date of this application.